How to Address Security Vulnerabilities in the Development Cycle

State and local agencies are focused on two concurrent and related IT tasks: digital transformation and cybersecurity. Although they once were separate efforts, today they go hand in hand – with software at the heart of digital transformation.

Like all organizations today, state and local government agencies rely more on software than ever before. At the same time, the way software is developed has evolved. The idea of a lone developer sitting in a backroom writing code is long out of date.

Instead, development is dynamic and fast. Developers are using application programming interfaces, microservices, serverless computing, cloud and other new technologies. Today, more than 30 million developers contribute to community-based platforms, such as GitHub, accelerating open source software acceptance and usage.

These new approaches bring the benefit of speed and agility. But they also have substantially increased the risk and widened the threat landscape. The result is known as software risk – the danger that comes from greater software complexity and a need for speed.

For example, the Software Engineering Institute estimates that 90% of reported security incidents result from exploits against defects in software’s design or code.

What’s needed to reduce this software risk is an effective way to apply security measures while software is being developed, long before applications are scheduled to go live. That’s because software security risk comes in three main forms.

The first is the software itself, especially as organizations use open source to speed time-to-market and decrease development costs. It’s critical that vulnerabilities in custom code, open source and run-time risks are identified early during software development.

The second is too little AppSec training. To avoid common pitfalls and improve coding practices, developers must understand them. If they don’t, they’re bound to repeat mistakes such as coding errors during development, which wastes time on unnecessary refactoring and retesting of software releases.

The third risk is the outdated approach to development that many agencies still use. Industry’s fast-paced development methodologies mean agencies must implement AppSec solutions during software development. Trying to implement security at a later stage could slow continuous development, delivery and deployment processes.

Unfortunately, development and security teams don’t often agree. According to a recent GitLab survey,  nearly half of security professionals said they struggle to get developers to make remediation of vulnerabilities a priority. Similarly, half of security teams also believe AppSec testing contributes to delays.

To address the growing risk and broadening threat landscape, you need software security solutions that you can fully integrate into development processes. That means automated AppSec testing solutions that are transparent to developer workflows and that reduce time to detect, triage and remediate vulnerabilities.

Look for software security solutions that provide:

  • Simplified automation and integration into the tools developers already use.
  • Unparalleled accuracy without slowing development, delivery and deployment.
  • Quick remediation, in the shortest time possible with best-fix location.
  • Expansive coverage for languages, frameworks and the latest development methodologies.
  • Real-time AppSec awareness training, within developers’ integrated development environments, while they’re writing code.
  • Centrally managed systems development life cycle integration and orchestration flow, from scan to ticketing.

Today’s digital landscape pits software development against security in a race to put applications into use. But a better approach is to enable all three elements – development, security and speed – to work together. That way, government agencies avoid introducing vulnerabilities in the name of making applications available quickly or introducing delays through testing. They simply introduce security.

This article is an excerpt from GovLoop Academy’s recent course, “How to Address Security Vulnerabilities in the Development Cycle.” Access the full course here.

Leave a Comment

Leave a comment

Leave a Reply